>Number: 10195
>Category: kern
>Synopsis: fxp0 (and possibly tlp0 and others) corrupt raw IP packets
>Confidential: no
>Severity: critical
>Priority: high
>Responsible: kern-bug-people
>State: open
>Class: sw-bug
>Submitter-Id: net
>Arrival-Date: Wed May 24 12:27:00 PDT 2000
>Closed-Date:
>Last-Modified:
>Originator: Christian E. Hopps
>Release: May 7, 2000
>Organization:
None
>Environment:
System: NetBSD defoe 1.4Y NetBSD 1.4Y (GATED) #13: Wed May 24 14:51:22 EDT 2000 chopps@sulfur:/usr/src/sys/arch/i386/compile/GATED i386
>Description:
The ip_len field of a raw-IP packet that is comprised of at least
2 mbufs in a chain is being byte-swapped, at least on i386, back
into host order. This byte-swap occurs sometime after queueing it
on the actual interface output queue. This was verified by examining
the ip_len field in the mbuf immediately prior and after queueing in
ether_output().
Note: packets sent e.g., on SOCK_DRAM do not seem to be corrupted
and also packets sent non-broadcast do not seem to be corrupted.
The DGRAM case was not fully investigated.. It could be that
for packets sent on a DGRAM socket different mbufs chaining occurs.
>How-To-Repeat:
non-corrupting version:
ping -n <broadcast>
corrupting version:
pin -s 144 -n <broadcast>
The payload size of 144 forces the packet to be created with
an mbuf chain instead of a single mbuf.
>Fix:
Uknown.
>Release-Note:
>Audit-Trail:
>Unformatted: